Bug 1690882 - virt_use_nfs should be on by default
Summary: virt_use_nfs should be on by default
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Steve Milner
QA Contact: Micah Abbott
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-20 11:51 UTC by Tomas Smetana
Modified: 2019-06-04 10:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:46:13 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:46:19 UTC

Description Tomas Smetana 2019-03-20 11:51:57 UTC
Description of problem:
It's not possible to use NFS Persistent volumes on RHCOS because of the default SELinux settings.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux CoreOS 410.8.20190315.0

How reproducible:

Steps to Reproduce:
1. Follow the 3.11 guide to set up a persistent NFS volume, have pod write some data to the NFS mount

Actual results:
"Permission denied" + AVC messages in the log:
kernel: audit: type=1400 audit(1553081660.416:5148): avc:  denied  { write } for  pid=41363 comm="sh" name="dir_1" dev="0:356" ino=35412058 scontext=system_u:system_r:container_t:s0:c480,c827 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0

Expected results:
No AVC, pod is able to use the NFS persistent volume normally

Additional info:
The problem is that the virt_use_nfs SELinux boolean is off by default:

[root@test1-f2ptm-worker-0-mwsz8 log]# getsebool virt_use_nfs
virt_use_nfs --> off

This was already fixed once on Atomic images: see the bug #1220303

Comment 6 errata-xmlrpc 2019-06-04 10:46:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.